Ask Hackaday: How are these thieves exploiting automotive keyless entry?

keyless-entry-vulnerability

A new attack on automotive keyless entry systems is making headlines and we want to know how you think it’s being done. The Today Show reports that vehicles of different makes and models are being broken into using keyless entry on the passenger’s side of the car. It sounds like thieves steal items found inside rather than the vehicles themselves which makes these crimes distinctly different from the keyless ignition thefts of a year ago.

So how are they doing this? Here are the clues: The thieves have been filmed entering only the passenger side of the car. They hold a small device in their hand to unlock the doors and disable the alarm. And there is evidence that it doesn’t work on 100% of vehicles they try. Could it be some hidden manufacturer code reset? Has an encryption algorithm been hacked to sniff the keyfob identifier at a previous time? Or do you think we’re completely off track? Let us know your opinion by leaving a comment.

[Thanks Mom]

Comments

  1. Per Jensen says:

    The TV programme mentions nothing about if the owner has CHECKED that the car is indeed locked. I would guess the thieves have a jammer, preventing the owner to lock the car, as most people just lock it with their backs turned at the car, and they don’t check if the car locks… That would allow the thieves to open the car and get the items.

    • VerticalHover says:

      Sounds good, but they wouldn’t need a device to open the car later if they were jamming it when it was being locked.

      • _phnx_ says:

        Exactly. If you can prevent then you don’t have to overcome. It’s like an old episode of MacGyver where there was a science contest based around ‘locking a room’ and the winning student used a system that made you think it was locked when it wasn’t and wasn’t when you thought it was.

        Additionally a remote jammer could account for the few that it didn’t open (jammer signal picked up interference) but does nothing for the ‘always the passenger-side’ aspect.

        • Mental2k says:

          Jammer signals generally are interference, well mobile phone ones are. They just broadcast white noise on the relevant frequency. AFAIK

          • _phnx_ says:

            And if something like distance caused ‘less’ of the jammer signal to be ‘in play’. 20ft.=70% success; 30ft.= 60%… etc.

          • draeath says:

            You only need to use noise if it’s an intelligent system that can “burn through” like fire control radar.

            For simple radio communications or data transfer, all you need is a loud enough tone to drown out the signal.

        • Adam R says:

          Good episode. I believe he used a miniature model of a garage door opener, visible through the peephole, but another student cheated by using a parabolic listening device to hear his plans. Then there was something about speeding up the clock in the other student’s time-based lock.

          Anybody know what episode and season that was?

        • jarred-Awesome says:

          Actually,
          it does. Think about it. You’re jamming a lock signal, you’re not going to hop right into the car. You’re going to wait for the owner to leave your sight in case he turns around.

          They might be hiding behind the car until that point, then just using the closest door to them.

          • George Humphrey says:

            No, the video shown on Today makes it clear that this is not the case.

        • Clayton Jones says:

          Ryman and son, Ryman and son.

        • jake says:

          I remember that episode! Didn’t one student subsequently cheat and then flip out by building a bomb in the school’s nuclear lab?

        • Brian says:

          I believe the attack always being on the passenger side is a coincidence. It is very unlikely it is a jamer. You can see the lights come on and even hear the locks move when the device is activated. They are actively unlocking the car when the device is turned on. I assume that the random rolling code generator algorithm has been compromised.

    • Erik Johnson says:

      This, a friend of mine was auto burgled and his car left unscathed. He insisted that the car automatically locks itself after a timeout when he walks away with his remote. I have never heard of such a thing (while I don’t doubt it exists – My old SaaB would auto-arm itself after 10 minutes of inactivity, but not lock the doors).
      So the next day I asked him if he locked it after having not used it in several hours and he said “yup”. I walked over and sure enough it opened right up! He was dumbfounded. Now I always poke fun at him to make sure he uses the remote and hears the armed acknowledgment from the car.

      • JamesInCA says:

        Who would make a car that auto-locks itself? That’s a support nightmare.

        • Mat Carlson says:

          Tow truck drivers; AAA; locksmiths; engineers.

          • Adam says:

            Ah, capitalism.

          • El says:

            Government keeps out competition in those industries, so more like “Ah, fascism.”

          • Blue Footed Booby says:

            @El
            I don’t think you’re entirely clear on what fascism is. o_o

          • El says:

            I’m using Benito Amilcare Andrea Mussolini’s definition of fascism: Merger of Corporation and State, though he meant that the State controls the corporations and not the other way ’round, like it’s in most of the western world today. Still, competition and a free market are part of the definition of capitalism², so whether it’s fascism or corporatism is of little consequence (fascism is better known though), it still isn’t capitalism.

            ²) http://www.merriam-webster.com/dictionary/capitalism

        • spbogie says:

          Most keyless entry cars I’ve encountered will re-lock the doors after a timeout if the door hasn’t actually been opened, so he could have misinterpreted that.

          • dan says:

            I think that you, like so many other people in this half of the comments section are misunderstanding the difference between keyless entry, and keyfob remotes.

            this keyless entry thing is where the keys just need to be in your bag, you walk up to the car and it unlocks, you don’t need to get the keys out your bag, don’t need to press a button, the re-lock feature of cars etc happens when you press the button either on the key or on the keyfob. – hence you need to touch the keys, it’s not keyless entry.

            you can’t check that a keyless car is locked. you walk away, and when your key transponder is far enough away the car locks itself, obviously if you try to go back and check this then the car will unlock itself. unless you leave your keys on the ground or send someone back to check for you!

          • _phnx_ says:

            @dan ^: sorry mate, but it’s _your_ definition of ‘keyless entry’ that is mistaken. The definition that you are promoting is a technology that is relatively new, yet cars have been equipped with ‘keyless entry’ systems for over a decade.

            ‘Keyless’ is meant to imply the lack of need to physically insert a key into a lock (ie: 30 feet away walking across the parking lot). I’m not sure of the preferred marketing term for the proximity keys that you describe, but as mentioned earlier… ‘keyless entry’ is a term that has been used to describe your ‘keyfob remotes’ for more than 10 years.

          • spbogie says:

            @dan
            Some people are clearly confusing the two (the news story didn’t help in this regard given it showed both types…) but I have a car with the new style keyfob system. The doors do not unlock simply because the keyfob is in range. It waits until you actually grab the door handle. If you then let go of the handle without opening the door it will re-lock.

          • Eric says:

            Dan,

            YOU have confused “Keyless Entry” with “Smart Keys”. Keyless entry is a KEY FOB that allows you to unlock (aka “Enter”) the vehicle without putting your key in the door. Smart Keys allow you to unlock and start the car just be being present.

        • Stefan says:

          My 14 year old Smart City Coupe locks itself after a timeout if the doors haven’t been used after unlock.
          I’ve even experienced it locking automatically after parking, but I’ve yet to verify this by trying again. Just Lazy I guess :)
          Its immobilizer also rearms after a few minutes if the car has been opened but not started.

        • markey1979 says:

          I work on Mazda’s. The ones that do not use “cut” keys ( credit card, advanced keyless, and smart key systems) do in fact, lock and arm themselves when you walk away from the car. If that feature is programmed. For almost 10 years, I worked on Cadillac’s. They too, automatically lock and unlock, when you have that feature…..

        • A Bryant says:

          Vauxhall, Renault, Mercedes made auto locking. Vans are sometimes fitted with auto lockers.

        • Marcus says:

          @JamesInCA Well the upper Class Mercedes had a system called Keyless entry since the 1990s. It works like this: You don’t have a Key to the Car, you have some kind of a card with you. If you have that card with you, you can enter the car and start it without turning a Key. When you leave the car, it locks itselve after an ammount of time.

          But to the Case. I think it is a jammer preventing the locking of the car. That doesn’t explain why the thiefs always get in the passenger door. Another thought is: What will a car do if a teaser is fired in something like a door handle? I know that some cars have savety-features like if the battery is low, the car opens the doors.

          My Skoda locks automaticaly if i unlock it with the remote and i do not open any door for a certain ammount of time. Usefull but not working with jammers.

          • draeath says:

            If you fired a taser at it, you would pass electricity between the electrodes along the skin of the door handle (or through the metal, if you puncture properly.

            That will do exactly nothing to any electronics nearby (except perhaps a brief amount of RFI while you do so).

            You’ve been watching too many movies :P

        • Berserk87 says:

          I’ve worked retail many years. It’s a feature that’s available on many aftermarket alarms or remote starters. Turned the feature on for customers quite frequently.

        • dan says:

          a lot of doors automatically re-lock.

          so if you’re in the house and press the button, the car unlocks outside. if you don’t open the door the car re-locks after about five or ten minutes.

          however, if you unlock the car and open the door it shuts off the car re-lock mechanism, this means you can’t unlock a car, and leave the keys in in, shut the door and have it re-lock itself with the keys on the inside.

          similarly after a drive the car won’t re-lock itself. car re-lock only works when the car has been locked, and is unlocked but the doors have not been opened, because then it’s a certainty that the keys are still on the outside of the car!

          • draeath says:

            Note you need functioning door switches for that.

            The switches on my Hyundai had gone out, causing it to auto-lock whether or not the door had been opened.

            Drove me absolutely nuts, as whenever I had to leave it for oil changes or service I had to remind them to keep the windows down so they could get back inside.

        • Mental2k says:

          Mine does this too. But I’m not entirely sure under what conditions it does it. Quite often I’ll unlock the car only to hear it lock itself after a few minutes while I’m standing there. I’m 95% sure I don’t hit the button again but I couldn’t be 100% sure and I am 100% sure it doesn’t always happen so I make sure it’s locked.

          • Alfred says:

            It will be relock again if you press unlock but you *didn’t open any one of the door*. It is a timer against accidental/unintentional unlocking.

          • Mental2k says:

            I’m genuinely glad someone has cleared that up. I’ve been curious about it for years every time it happened. It never bugged me enough to look it up but now I know.

        • fartface says:

          Honda, GM, Jeep. All of them will do an auto lock if you walk away and not lock it and the keys are not within the vehicle. Hell even the 2006 Ford Minivan I have at work will self unlock if the keys are inside the vehicle and you press the lock button on the door.

        • Chris Muncy says:

          My 1999 Ford F350 has that feature. Once you kill the engine and close the doors, it will lock in 60 seconds *IF* the keys are not in the ignition. You have to program the factory system to do it as it is not a standard option.

        • Ben Lutgens says:

          My mazda locks itself after a time, about 10 minutes I think. It’s annoying. The only time it won’t is if the key is in the ignition.

        • Ren says:

          My 1999 Toyota 4-Runner will lock itself after about 30 seconds…
          sometimes…
          I think it happens if I manually unlock the driver door, get out and close the door without
          using the “Unlock” function of the key fob.

        • soopergooman says:

          Volkswagens lock themselves automatically.

          • Niru says:

            my ’03 Jetta has some weird aftermarket thing that the original owner added. Hidden toggle-switch and LED under the dash. Sometimes the LED is on solid. Sometimes it flashes. I have no idea how it works. It locks itself automatically. Sometimes. Sometimes not. Sometimes, the alarm just goes off. Sometimes, I try to start it, and the alarm goes off. The behavior changed radically after I had to replace the stereo headunit because the CD player failed. I pity anyone who tries to steal it. :)

        • BillK says:

          Most cars that I know of if unlocked with a remote but not entered (door not opened, etc) will relock themselves after a short period of time.

        • Pouncer says:

          Kia and Hyundai models with the smart key(push button start) will auto lock only if you pressed the unlock button and never opened the door after unlocking. Once you open the door it won’t lock unless you lock it.

        • Jfalcon says:

          Ford makes cars with outo lock featues, at least for the luxury vehicles, I had a 1995 Lincoln Mark VIII and the doors would auto lock once you stepped out of the car and closed the door.
          Also my dad had a 1992 Grand Marquis, and it would do the same, both had the 5boton keyless entry thing on the driver side door.
          The 2012 ford explorer does the same thing, however i live in mexico so maybe its an upgraded security feature because of the level of crime down here….

        • Dan says:

          They make em. I am a mechanic and when I run into auto locking cars it is a royal pain. Some cars not only lock themselves with the keys still in the ignition but they also put up any open windows.

        • stuart says:

          dodge, jeep and other companies. i had a journey that when you got out of the car with the fob it would auto lock and arm itself the truck was a 2013.

      • Brainiac27 says:

        My father’s ’09 Honda Accord will lock itself after a few minutes no matter what. Locked and then proceeded to go off when I was chilling in the driver seat with the car off.

      • CoolMod says:

        My car alarm system automatically locks the doors around 30 seconds after closing all doors (and trunk), regardless if you are inside the car or not. It is a programmable feature that I activated and has been very useful to me. I hear when the car locks the car when I leave and instinctively I stop and return if I don’t hear it locking the car (actually, briefly honks twice when locking it). So, the comment above is possible.

        • draeath says:

          I disabled the lights/horns as I don’t want to disturb neighbors or provide indication that my car is being unlocked. Paranoia :)

          I can tell though when the doors lock or unlock, and if it was just one or all, just by sound.

      • defaultex says:

        I’m more suspecting user error. One of my clients has a fancy new car with all the bells and whistles. If you leave the car unlocked and unarmed, it will lock itself and arm the alarm, making the remote for it beep when it does this (if your in range). Well as he learned when his computer got stolen out of his car, the seats have weight sensors, if there is enough weight on the seats it will not automatically secure the car.

        • lhh says:

          Leaving a laptop on is seat is asking for it to be stolen anyway.

          • defaultex says:

            I agree, especially in the area I live in where people will break into your car or house during broad daylight with obvious forceful means (like kicking the door in). However it wouldn’t hurt if they configured the sensors for at least 60lbs before it triggers. And it was a desktop computer, stolen in the store parking lot down the road on his way here. Jokes on them however, from his description of the problem with it sounded like the power supply gave up the magic smoke.

      • I have a vw jetta that will re-arm and lock itself if its disarmed and unlocked after 20 seconds and its not started however should I park it and get out and walk away it will not re-arm itself.

      • Jamie says:

        My car auto-locks and arms but only if the softtop roof is down — it’s a keyless system, if you walk away it locks.

      • Bryce says:

        My Toyota auto locks itself – but not under all circumstances. If I get out of the car and walk away, it doesn’t auto lock. If I lock the car, and later hit the unlock feature, it gives me 30 seconds to open a door, if I don’t within that time period, it locks itself.

      • justuan says:

        its called passive arming, all aftermarket alarms have it as a programmable option

    • Robert Moser says:

      They have wireless key fobs that can copy signals from your current keys. I can’t imagine it would be to difficult to make a device to store multiple codes. Either that or they could be tripping something with an emr based attack. All you have to do is find a way to trigger a relay and the door will open. Maybe those cars have a vulnerable in that specific region of the car.

      • AC says:

        Anything modern has rolling codes. About the only thing that has fixed codes these days are cheap garage doors.

        • Json says:

          Rolling codes can be circumvented sometimes, imagine you push the button while you are away from the vehicle. Now they are out of sync. In security testing, we replayed back 3 successive codes from a remote we sniffed, and got it to resync, and we were able to defeat.

        • fartface says:

          Expensive garage doors have static codes. Otherwise if you pressed the door button in your car while you were away you would not be able to open the door when you got home.

          • microHacks says:

            …Not usually static codes. There is a rolling code with a ‘window’ that allows re-sync. They are made that way exactly so that if you hit the button while too far away you will not lose sync with the receiver. The window is typically the next 256 rolling codes. I programmed our built in vehicle transmitters via one remote. I can go weeks opening the door with one vehicle only, then try it on the other and I’m still within the 256 code window.

            Back to the original question – I’d like to know how this hack works. Typically hitting a key fob once unlocks drivers door first, while double taps unlocks all. Why the passenger side, unless that’s where all the good loot is (laptops, purses, purchases)…

          • Rascalking says:

            Sorry, but that’s not true. This article explains (at least one method of) how to have a rolling code, but allow for accidental button presses.

            http://auto.howstuffworks.com/remote-entry2.htm

          • cybergibbons says:

            Garage doors often do use static codes, but not for that reason. They use a window of acceptable rolling codes, often 256 long. Many systems now use two way radios which stops this being as issue.

            I wrote a post about this, in relation to alarm systems, a while back:
            http://cybergibbons.com/2013/04/28/keep-rolling-rolling-rolling/

          • Extraneous says:

            Could it be that the thieves are picking up signals from owners who are away from their cars, and then using these to get in as they are one of the future 256 codes? Seems a bit contrived as either forcing a person to accidentally press a button would be difficult.

          • cybergibbons says:

            @Extraneous: yes, with one way systems you can capture valid rolling code messages and replay them as long as the receiver doesn’t hear them to move the window forwards. With two way systems, you can relay the communications over longer distances as most of the protocols don’t care about latency.

      • Greenaum says:

        Could it be as simple as those coded door locks that failed? The code was fine, but the door lock was a solenoid, and a magnet in the right place… Our baseball-cap wearing friend might just have an electromagnet or a neodymium one.

        I haven’t really talked to any car thieves in years, and the ones I knew were idiots. Still, plenty of money in crime, no wonder the odd rogue genius gets inspired. I’d be half tempted just for the hack.

    • Fungus says:

      In the second video the guy was clearly walking along trying all the cars. If he was walking along trying all the cars then it doesn’t work on all of them. The fact that all three cars in the video were Honda/Acura suggests a weakness in Honda design.

      From the looks of things you have to be really close to the car for it to work, maybe even touch something to the piece of bare metal around the keyhole.

      I’m guessing it’s lower tech than people are thinking – a taser to the keyhole or something like that. Maybe pull the insides out of a battery powered bug zapper (they contain a high voltage sparker that fits in the palm of your hand).

      • LongFist says:

        …”suggests a weakness in Honda design.” – or perhaps his tool was designed to circumvent Honda security. Just a thought…

      • Gitsnik says:

        There’s a whole swath of cars in the local casino carpark that are vulnerable to a plunger over the doorlock (auto-unlock on submersion I guess?) could it be that?

        • Adam says:

          Are you saying the same hack as the tennis ball with a hole cut in it? Because that was an internet viral video that someone was standing off camera with the key fob.

          • Gitsnik says:

            Possibly. Got it from an underling who worked at said casino. He’s many things, but I’d be surprised if he made that one up.

      • draeath says:

        Tasing a piece of metal does nothing except pass electricity over the skin of the metal, between the electrodes

      • justuan says:

        Door locks are not affected by outside em spikes. While the lock cylinder looks like it is in contact with the metal door skin there is actually a rubber isolator separating them. Should the isolator degrade and fail the links between the lock cylinder and the lock rods,or lock cables, and motor are separated by plastic clips. The majority of modern cars don’t even use metal cases on the lock actuators. Most likely these thieves are looking for cars with after market security systems, then, when found, they use the manufacturer code schema(probably bought from a disgruntled security system designer) to replicate the second unlock feature that unlocks the passenger door with no siren beeps or horn honks. I install key-less entry, security, and remote start systems professionally and have inquired about this subject to DEI, Panasonic, and Code alarm techs, all have been suspiciously silent.

    • Wuilman says:

      I was an auto mechanic for 10 years, there are some telling signs that say they have some type of RF transmitter.

      When you unlock MOST power door locks this is the logic table for the Body control module (AKA the BCM, aka security module)

      Status: Car sits locked
      Press unlock fob 1 time = unlock only drivers door 1st.
      press fob button 2 times = unlock all dors command.

      Carefully reviewing the tape clearly shows the interior/dome lights coming on RIGHT BEFORE the PASSENGER door is opened. this is a clear indication that they are somehow accesing the Body control module to acces the power door lock module and the security module.

      This explanation would also explain why the older cars without BCM or security modules cannot be opend as easily.

      I worked for Ford for several years, each auto builder has their own different way of doing the same thing. This may only be an exploit that works on a certain make, model, year range. Which is also why the auto manufacturers they interviewed are clueless.

      • edna says:

        Excellent information! Thanks

      • justuan says:

        Give an up to date GM Tech2 bcm programmer with a wireless Candi module to a disgruntled coder who knows the system, and it would only a matter of time before GM cars become targets. I’m not saying this is how it’s being done(not all affected cars are GM products) but there is a reason the Tech2 diagnostic tool and its add ons are not available to the public.

    • WRND says:

      Hey, Hackaday, why not make a jammer, leave it at a lamp post in a parking lot. Wait for a friend to arrive. When they walk away, check it the car is still unlocked? Most keyless entry systems are based on 2.4GHz chips like TI’s CC24xx range and Nordic NRF2401 range. I have used these for wireless lights and there it was easy to jam the receivers.

    • Truth Hurts says:

      News FAIL. this should have never made the news .. all three cars shown were unlocked. The crooks walked up and touched the door handle and it opened. The last one in the video was clearly checking cars as he walked by, and it must have clicked so he backed up and opened the door….. I have lost all faith in law enforcement and the media.

    • heath says:

      From someone who’s had this happen to him twice in one month – both were the same guy (which narrowed it down to only a million or so middle aged males wearing sweat pants in the Queens, NY area). Both times he had something in his hand. Both times the car was definitely locked. Both times the lights blinked when he unlocked the car, which happened right before he reached out to open the passenger door. The first time he stole about $10 in change and a set of headphones. Second time about $2 (which is one reason why the cops just didn’t care). My car is a 2012 Ford Escape and was purchased brand new. In the same month we know of 3 other Fords in our neighborhood that were broken into the exact same way. The car doesn’t have any on-going electrical issues.

  2. VerticalHover says:

    Either they have the codes, or their using a mini EMP device to short out the system. Since they aren’t stealing the car, they don’t care if it fries the computer.

    • isitjustme80 says:

      Im 100% positive its a min emp activating the door locker

      • localroger says:

        I could see this physically opening the lock, since ally you need to do is get enough current to the transistor that pulls in the solenoid to turn it on; that would even explain why some models are vulnerable and others not depending on design. Clearing the alarm would have to occur because the car’s computer gets reset. Seems a bit dodgy though since you might get the lock solenoid to actuate without resetting the master computer, which isn’t in the door… ?

        • localroger says:

          Never mind, HRobotics explains the alarm reset. Thinks you used the donkey key. Makes perfect sense.

          • Greenaum says:

            The whatkeynow?

          • “Donkey key” – a key that comes with the car that doesn’t have a little chip inside (similar to RFID) to deactivate the immobiliser. Only useful for opening the car.

          • Coltraine says:

            Could one use a key that is not made for that exact car, but is made for that same make/model…in combination with the mini-emp in order to gain access to multiple models of the same vehicle?

        • MrX says:

          If it is an EMP attack, then a simple Faraday cage around the electronics and ferrite bead coils placed in the wiring should prevent it.

          • draeath says:

            A “simple” faraday cage. Yep.

          • MrX says:

            @draeath clearly you never saw any shielding on the RF circuitry of wifi adapters or routers! A Faraday cage is nothing more than a metallic chicken net with the hole diameter tuned for the frequency you want to block. Make it solid and it will block pretty much any frequency.
            So yeah, given that the car door is already solid metal, you would only have to shield the other side of the door. What is so difficult about that?

      • Fungus says:

        EMP takes a lot of energy. I’m guessing it’s some kind of high voltage spark generator (which is why they have to touch the keyhole with it).

      • attrezzo says:

        Your on to something with EMP. Whatever they’re doing it’s happening inductively. I don’t think they’re digitally communicating with the car, it’s too quick for a brute force and it’s too complicated for anyone to spend good money making a record/playback kind of thing. They’re not attacking the digital receiver or the digital technology. Could they be inductively zapping the cable connected to the switch that unlocks the door? A bigger electro-magnet forcing a relay to shut or something? Or is it a one-wire sequence they’ve figured out?

        I’d have to say that maybe there’s less shielding on the passenger door, it’s also where the fusebox is generally located in cars. But perhaps most importantly, there’s not a bunch of other switches and wiring on that side.

        They’re using an electro-magnet to activate the unlock as if someone is sitting inside of the car pressing the unlock button. My guess is they’re attacking the cable/switch assembly that unlocks the door somehow. Or the unlock solenoid itself? Since the passenger side has less controls it would be less likely to activate all kinds of other stuff they don’t care about or shield the signal because the wire is wrapped in other wires. They stand nearby and hold the handle because the same action that triggers the unlock could trigger it to lock again. So I bet it pulses just like the device in the video and they try to catch it on an unlock pulse.

    • isitjustme80 says:

      Someone will eventually get caught, and it wont be such a mystery. What a sad way to earn a living stealing peoples loose change out of their cars.

      • kb says:

        Every ecosystem has its parasites, unfortunately. Clearly it’s not even that lucrative. That guy’s wardrobe is a disaster.

        • Greenaum says:

          Among car thieves that’s haute couture. You’d be amazed how much people pay for shitty tracksuits and baseball caps.

          Since there’s no traditions for style among the lower classes, it’s a simple combination of buying what’s advertised on MTV, multiplied by the price you can say you paid for it. Yes, capitalism is that simple and that effective.

          • Franklin Templeton says:

            Let’s not forget the “White T” syndrome where all the homies wore white t-shirts to make it harder to identify “a black male in a white tshirt”. Ya can’t arrest the whole corner lol. you are 100% correct on the fashion sense. These folks aren’t usually operating above a 6th grade education and it is always easy to spot the nouveau riche lol. The tags on your clothes mean you are gonna return them later lol. Where most of us would just see a letterman jacket on some idiot that obviously hasn’t played sports in years, the dude is thinking I look great in this sheepskin and pleated denim lmao.

          • wddng says:

            @Franklin, do you live in a white bread world?

            People wear white t’s because they are super cheap.

          • Franklin Templeton says:

            I can only assume you were joking because you just sound ridiculous. The “white bread” answer is because they are cheap. The ghetto answer is so the cops can’t tell who you are easily.
            Go visit the dirty south and ask around.

    • HRobotics says:

      I agree, applying a voltage to the line coming from the key lock both unlocks and disarms the alarm in most cars. That’s how my remote ignition works, it hits the line with 12v, the car thinks it has been unlocked via key, disarms the alarm, and unlocks the passenger side door electronically. But then again, they’re on the passenger side.. I don’t even have a key lock on that side. And when the car thinks it’s empty and something touches the interior lock switch it triggers the alarm.

      It could be a key-fob retransmission. Even with a rolling code the car will watch a set amount of other codes in case the two get out of sync (like pressing the unlock button a bunch of times for fun while you’re away from your car). Don’t think it works “backwards” though, once an iteration is used it’s used. Hmmm

  3. fonz says:

    Maybe it is magic, or maybe they just go from car to car until they find one that isn’t locked, would also explain why they failed to open some of them

    Insurance doesn’t cover if the car isn’t locked so of course everyone will say the car
    was locked they must have hacked it

    • Chris says:

      Actually I like fonz’s and Per Jensen’s suggestions… maybe the cars aren’t locked :P

      • Tien Gow says:

        Then why is it only Honda owners that leave their cars unlocked?

        • Royell says:

          Given the relatively small sample size we have to work off of, and the fact that these are fairly popular, massively produced cars, seems like coincidence. There isn’t much data on this issue to work with, and the data we do have is… Spotty, at best.

    • Sean says:

      I agree. In the second video especially, it looks like he’s just walking by pulling on door handles until one happens to open. He stops and almost looks somewhat surprised when it does.

      Also, the passenger door just makes sense if they’re after valuables and not the car itself. The glove box is on the passenger side.

      I’m not saying there couldn’t be some device they used, but the videos don’t really show much to suggest that, and an unlocked door just seems the more obvious explanation. (Occam’s razor and all that…)

      • trndr says:

        Totally agree and if it were a wireless hack, then why don’t the thieves have directional antennas and unlock the cars 20 minutes before (we can’t see the recording that far back) but that would filter all the unlockables and still be “secure” for the thieves.

        • trndr says:

          The reason for only using the passenger side is because it should have a larger diversity of fingerprints, that the driver door and the back seats.
          (Sorry for replying to my self can’t edit)

          • Anonymous says:

            Oh c’mon, like people that steal stuff from cars think of fingerprints or care. Even if they did they would just use gloves. Also about all the wireless hacks suggestions; riddle me this, why do they only use passenger side? Yeah. So it’s not a wireless hack. What it might actually be is somehow triggering the passenger side solenoid to open the door.

          • trndr says:

            Anon So you would credit them of making a device able to activate the solenoid trough a plastic handle without using wireless technology, rather than using than worrying about finger prints?
            If it were some kind of direct contact electric measures, you should be able to find it somehow or at least somebody would be able to given enough time.

          • jgmrequel says:

            @trndr – Just because they are using the device doesn’t mean they made the device. If I went through the process of making a device that allows entry without evidence of use, I’d wear gloves and pick cars/locations which do not have cameras.

          • cutandpaste says:

            Seriously? Some folks are putting too much thought into this.

            Fingerprints? This isn’t CSI. Nobody but you actually cares that you had something stolen from your car. You file a report (around here, the cops won’t even show up at the scene for this — you must come to the station) and/or an insurance claim, and move on with life. There is no investigation to speak of.

            They attack from the passenger side because the steering wheel is not in the way. This allows them greater mobility within the car, while allowing them to get in and out quicker.

            This is the same reason why window-smashing thieves -always- attack a rear window: They don’t want to sit in broken glass. Break window, reach inside, unlock car, and then move to wherever the pile of glass isn’t, open that door, and begin looting.

            Just because they’re thieves, doesn’t mean that they’re any less lazy or clever than the rest of us.

  4. Chris says:

    Probably some sort of fuzzing attack… where they use High voltage to confuse the computer. My car door handle serves to alert the computer I want the doors to unlock if I am next to the door… and there is a button to lock as well.

    It would be interesting to know if it is a particular manufacturer or if it works across the board on several manufacturer’s vehicles.

    • notstarman says:

      I bet your right looking at the video it appears that the thief was unaware that which car was going to unlock. I bet that he has some random process that has a low probability of opening the car door and so he walks back and forth slowly until he finds a vulnerable car. It unlocks and he’s in.

  5. Bracken says:

    I think they have an accomplice near the owner who is not very far away. The accomplice has another device which emulates the car, the unwitting owner’s key is fooled into thinking it is close to the car and begins unlocking it.

    The signal is forwarded to the first criminal’s device, which is emulating the key opening the car. Then then pull the handle and enter. Possibly only from the passenger side to remain out of sight.

  6. chad says:

    maybe they wait nearby with a pc and a software radio designed to sniff for the key presses from the original fob then return later with a remote programmed to emit to recorded/transmitted code.

  7. azog says:

    Has anyone analyzed these and published results? You comment “has an encryption algorithm been hacked”, but I ask because I wonder “_is_ there even an encryption algorithm at all?”.

    Are the affected cars from them same manufacturer? Is the keyless entry the same manufacturer or type?

    The “hack” used can only be used in the circumstances identified (passenger door only, unable to start the engine, possibly no access to trunk) which suggests it’s either a default setting that either the dealer or owner never changed, or (God forbid me even saying this) a “backdoor code”, but akin to the “valet key” some cars (used to) come with.

  8. ds2ktj says:
  9. standa says:

    I heard about jamming devices that jam lock signal of your car and you can’t lock it, most people don’t check if their car is properly locked and thieves come to steal things. But this method seems to be different…

  10. tz2026 says:

    My best guess:

    It does something to induce the “door open” message on the CAN bus, perhaps indirectly bu a voltage on the wires going to the lock-unlock button (think of it as a virtual coat-hanger).

    When you set security, it would be bad if the passenger could not exit without the alarm going off so there might be that as an exception in the code for the switches.

    It is also possible that the controller in the door will open upon reset, so a sufficient scrambling noise pulse will do so.

    One possibility would be if any had an ELM327 they leave attached to the J1962 connector…

    • jason says:

      the induced current/ voltage on wires going to the unlock button is what I was thinking, And i know on modern Cadillacs if you lock the vehicle with the key fob the the trunk release and unlock buttons inside the car no longer function.

      If it were a device that functioned like that, it would explains the behavior of the thief who appeared to hold something up to the car as he walked past and jumped back when the door unlocked. as though he were trying it on every car on that street, making it look like he was just walking past if it didn’t work.

  11. truthspew says:

    It’s not just older cars. I rented a VW Jetta not too long ago. I noted the remote transmitted on 415MHz and I have a handheld transceiver that can tune that no problem. It’s just what sounds like an FSK stream. Didn’t have time to record it but I bet had I done so my radio would have unlocked the car.

  12. Colin says:

    Police are “asking for help” but, unless I’m missing something, there’s no details. It would help to know the make, model and year of the cars broken into. I know a lot of cars now have keyless entry (you can just touch the driver or passenger door handle to unlock when the key is in range). If they’re boosting the signal they coud emulate that the key is in range. It would make sense why they’re just walking up to cars and touching the passenger handle. I know on our car that causes all the doors to unlock while the driver side handle just unlocks the driver door.

    • Greenaum says:

      Presumably the “help” they want is one of the thieves grassing on his friends for money. You don’t need technical expertise to solve this, and the police wouldn’t understand it anyway. You just need someone who knows the scheme, presumably learned by rote, to tell you what it is. It’s probable the thieves themselves don’t have a clue how it works, only that it does.

    • Paul says:

      The help they want is not ours. If you exposed a fault in one of these systems made by big AUTO they’ll probably arrest you for gaining access to a system that is not yours…. or “hacking”

  13. nizon says:

    Where I live they just bust your window, sell your stuff on kijiji and go buy some booze.

    • decius says:

      Sounds like we don’t live too far from each other lmao.

    • wretch says:

      Some years back somebody busted my car’s rear window and “traded” a sunscreen and something else equally insignificant that I can’t remember with a couple of racquetball racquets that he probably used to break the window.

      I don’t remember what I did with the racquets; I don’t think I have them anymore.

  14. I once talked to a guy who designed ECUs for a motor vehicle manufacturer. When I asked him about how the keyless entry was implemented, he told me that it was based on a challenge response mechanism based on a seed hard coded into the security system of the car. If the seeds were compromised then the locks can easily be bypassed. Maybe its that. But more likely is the simpler explanation that the cars weren’t locked in the first place.

  15. kdac says:

    the cars that have button entires, they can be broken into within 7 minutes of punching in all the combinations

    http://infothread.org/Thieves/GTA/1282581339787.jpg

  16. Corrosive says:

    Sounds to me its a simple replay attack from the keyfob

  17. isitjustme80 says:

    They are doing it with something like this, although that isnt what it is meant for.

  18. earl says:

    do the videos show the lights blinking before opening the door? Almost all cars are set to blink lights when it receives a command from a remote.

    • hadi says:

      good point. they dont have the code. car is not unlocked. with an EMP they can open the door. but why alarm doesnt work?

      • Anonymous says:

        Most likely some super stupid user error/security reason. How does the alarm trigger anyway? Maybe the same solenoid that unlocks also somehow disconnects the alarm.

        • anonymous says:

          Most cars these days come with valet keys. If you unlock the car with the valet key, it automatically disables the alarm. It’s controlled from the lock solenoid. They have sensors positioned all over the car to sense for excessive vibration and forced entry. If you can remotely pop the lock open, using a strong magnetic field, you can disable the alarm system.

          • Anon says:

            False. The Valet key is only so you can lock the glovebox and the valet can only drive the car. Valet keys do not automatically disable the alarm,

  19. Alex says:

    After watching the videos here are some observations.
    * Even when two cars are in close proximity, unlocking one does not unlock the other.
    * In all cases the interior lights go on at the exact moment the door is opened.
    * In all cases the thieves do not seem to unlock the car remotely, they have their hand on the handle bar at the time.
    * In the case of Michael Shin’s car, it is quite obvious the thief is just walking past the car, his hand trails behind him when the interior lights go on, he seems surprised, stops and comes back, looks around then enters the car.

    In that last case, there is no doubt he has no “device”, he is simply walking past a row of cars, trying the handle on each door until he finds one that is unlocked. I think we’re all chasing a red herring thinking this is a technical exploit, as others have said this is simply owners leaving their cars unlocked, by accident or ignorance, then claiming the cars were locked in order not to miss out on insurance.

    • bluegatorade says:

      You nailed it. None of the videos really show anything in their hands. It look like all of them just found unlocked cars.

    • OldCrow says:

      Passenger side doors are more likely to be left unlocked unnoticed by a mechanical malfunction.

      A relative had a car that did not lock the rear driver side door, due to a jammed mechanism. This fault was only discovered when I happened to borrow the car; I have a habit of checking both doors on the side I get out from, after locking the car. If the non-locking door had been on the other side, it might have gone unnoticed for years.

      How often do you check that all doors did in fact lock, after you pressed the magic button and heard the locks latch?

      Then there are the cars that simply do not have automatic locks. Remembering to lock the passenger side door after the occasional passenger is hard, when they’re all used to automatic locks.

  20. FutureCyberdyneEngineer says:

    Rolling codes or not wireless is wireless, it can be recorded and analyzed no matter how you protect it. The only thing manufacturers can do is make it take longer to crack. However, the fact that he acts surprised when the door opens may be a clue. What if they recorded a variety of door unlock codes and broadcast them in sequence in a crowded parking lot. Then they walk around to each car, check the handle and see if they got a hit. That could explain why he acts surprised that it worked.

    • Angus says:

      Of course wireless signals can be recorded and analysed. But how does that help you, if it’s using a rolling code where the next code is almost impossible to predict?

      It seems like you’re suggesting that all wireless systems must be inherently insecure, which is false.

      • Analog says:

        All security systems (wireless or not) are inherently insecure. Anything designed to let some people in and deny access to others can be fooled or finagled into granting unauthorized access. This is true of not only devices but people as well.

        Security in all forms exists as a deterrent- however the old adage remains true- ‘where there is a will there is a way.’

      • dvboy says:

        So how does a rolling code work with 2 fobs if fob1 is used daily, and fob2 weekly? It seems that fob2 would fall out of sync after a day or so.

        • Jackson says:

          I’m pretty sure they resync with each successful lock/unlock. Along with that I *believe* the valid code range is something like +/- 128. So so long as you haven’t pressed the button however wide the range is they should always resync.

        • spuder says:

          I’m not an expert, but my after market alarm can sync with 4 fobs. I assume that there are 4 rolling code banks.

          According to a pbs episode on security i saw years ago, most garage door openers can be pushed 256 times (while out of range) before it becomes out of sync. (Unverified)

      • P-Dep says:

        I quite agree with you Angus. My Holden Astra ’05 model (which is also called Vauxhall/Opel Astra in some other countries) has a unique code transmitter built in where it only allows my 2 keys to work with it and no other devices.

        It also has a rolling code, which sends out a one off random entry code to both keys and can only be received by the transmitter/receiver in my car if the correct 2 keys stored in its memory are identified as the senders for each unique code,

        The door locks cannot be broken due to its titanium like bolts and doesn’t have those old 90’s – early 2000 locks which go up and down for locking/unlocking. If the door locks get a surge of electricity they will automatically shut down the car which will result in the door locks not opening at all.

        Now this might all seem like a dream security car, but as with all things near perfect, this car does have a major flaw where the locks can be unopened very easily if you know the Astra 2005 range. But none-the-less, once my car is opened, there is no way of locking it again unless you use the 2 keys provided by the dealership.

        So overall, i will know if my car had been broken into and the best thing to do is not keep anything valuable in it. :)

        • P-Dep says:

          Further more, the transmitter/receiver only allows ONE chance to enter the right code so if it receives anything else it drops it.

          • cybergibbons says:

            I’m not sure you appreciate rolling codes or the flaws that can be found in them.

            Generally rolling codes are not one-off. They use a psuedo-random function. It would make it easier to break of the code was one-off – each code that is known to be sent would result in a reduction of the potential codes the next time.

            Very, very few of the rolling code systems in use only allow one chance. This is because they are not bi-directional. You can send multiple codes from the key when it is out-of-range of the car. Each time the code rolls forwards. For this reason, the car normally has a window of ~256 codes that will work.

            So many of the sytems have subtle flaws, but even the ones that don’t seen to often use the same seed/key across a wide range of cars. Recover a key for one Astra, use it for all of them.

  21. wretch says:

    Could it be something that’s common to Honda/Acura cars? The 3 cars they showed that were broken into were all Honda/Acura. The other 2 where the burglars failed were a Ford and a Cadillac.

  22. dALE says:

    My bet is that they are using either high power inductive charging or radio interference to make the lock actuator move.

    Only using it on Passenger side as there are considerably less electronics in the passengers door.

    • isitjustme80 says:

      Thats exactly what it is. Something with a coil/inductor. My passenger door actuator or whatever is in there, doesnt work any more because my jerk off brother thinks its funny. I wouldnt be surprised to see him in one of those videos if its near downtown chicago. He steals credits on pinball and arcade games, and the thing probably causes cancer.

  23. Willow says:

    The vehicles featured in the video are all the same major brand, Honda. The SUV’s were Acura, the car was Honda.

    It’s known that not all car manufacturers use rolling codes, it’s also known that the seed codes can be read (and in some cases, rewritten) with a master computer at most major MFG dealerships.

    I would start looking in that direction, especially since the cars all responded as if the keyfob had been used.

    • dALE says:

      vehicles only responded when the individuals hand was near the doorhandle.

      • isitjustme80 says:

        Im telling you guys, Ive seen it first hand. Some genius figured it worked for cars too. Dont use this on your car it will blow the solenoid after so many times.

      • isitjustme80 says:

        Crap wrong video, here is this guys hand device. Bet its something similar

        • qwerty says:

          Yawn… EMP generator (poor man version: big battery, 555, mosfet, coil, antenna).
          All modern slot machines are immune. Cars too.

          • isitjustme80 says:

            Must be nice to know everything. Bold statement, for someone who doesnt offer any sold theories. Arm chair quarterbacking has no place anywhere. Ive seen it work. Until you can prove otherwise, get back to being a spectator.

          • anonymous says:

            You are semi correct, cars are immune to weak electromagnetic pulses. They protect the vital spots in a car that would render it unable to operate. This would be the brain of the car, the ECU. These are shielded from interference. I can guarantee you though, that your car locks are not. Engineers probably avoided this because we have physical keys to get into the car, so if the locks burned out, we can still open the door and drive away. In this case, thieves are exploiting an age old design flaw.

    • chango says:

      There is an early failure mode of some Honda lock actuator modules, specifically 3rd gen CR-V, that cause them to unlock themselves over the course of a minute or so after being electrically actuated. Honda hasn’t recalled this, but there are a few class actions going on to try to compensate affected owners: http://www.chimicles.com/honda-and-acura-door-lock-actuator-failure.

      I replaced the front driver and passenger actuators in our 6 year old CR-V a few weeks ago, and now one of the rear locks is starting to misbehave. It’s extra annoying too, since the ECU sees a failed lock as always open, and relocks the doors every time the car moves from a stop past 10MPH.

      Anyway, as someone else noticed, the “device” may be a red herring, and they may be just looking for Hondas that have bad actuators that the owners believe they have locked.

      • Fungus says:

        Don’t you think the owners/police would have tested their doors afterwards…?

        • chango says:

          Possibly, but when the actuators started to fail on ours, the driver side actuator would appear to have locked, then over the course of a couple of minutes would scoot back to the open position. It could easily have been overlooked.

      • Tien Gow says:

        Many cars automatically lock the doors when the car exceeds a certain speed. In mine, it is 16 mph. This is an option that can be turned on and off (if I ever read the book…)

      • cutandpaste says:

        Have you ever considered the obvious thing: Oiling it? My experience with old mechanical things, especially in cars, is that they fail at the same rate that the lubrication does, and that even a half-assed attempt at rejuvenating the lubrication will allow good and smooth operation for many years.

        I fixed (yes, fixed) an increasingly finicky outside driver’s door handle on my 1995 BMW by spraying, rather blindly, some Tri-Flow in through a plastic knockout in the door. It’s been working fantastically ever since.

        Same with window regulators. And the power window motors themselves. Old grease turning to glue == failure.

        Otherwise, there’s often programming options for things like automatic locking. I don’t (and haven’t) owned a Honda, but there’s a chance that the programming directions are listed in the owners manual. If not, Google yourself up a good Honda enthusiast forum and search it. (Where “programming” means some incantation of turn car on, depress brake, turn off and then on in some certain cadence, activate the headlights, or other similar Dance Dance Revolution-like series of moves. No hardware required.)

        (As to which oil to use: Almost anything other than WD-40. Tri-Flow is my go-to favorite, though; it comes from bicycle shops and/or the bike section at Wal-Mart. Gun stores might also carry it. It is made by Sherwin Williams.)

  24. car jacker says:

    A lot of vw group cars on the passenger side their is a blank where the key hole would normally go nock the blank off long screwdriver unlocks doors and turns off factory alarm

  25. qwerty says:

    Folks, the Keeloq protocol and algorithm were cracked almost six years ago.

    http://www.cosic.esat.kuleuven.be/keeloq/

    • 1234 says:

      “Using only 10000 euro, an attacker can purchase a cluster of 50 dual core computers that will find the secret key in about two days.”
      ->???

      • P-Dep says:

        Really? So you mean to tell me that a bunch of robbers would spend 10k euros just so they can break in and steal stuff? Good idea. Now all they have to do is find a way of bringing 50 dual core computers to their targeted area so they can spend two days there trying to figure out the ‘secret key’

        • cybergibbons says:

          The attacks have moved on a long way from there, they are much more efficient and don’t require such an investment in hardware.

          But the reality of it is that several manufacturers use the same key across many models or even all cars.

          Spend some time recovering the key once, use it again and again.

  26. Eric says:

    It is an assumption that the car is being unlocked via the keyless entry system. On-star and the like can also remotely unlock a door. Perhaps that is a lower hanging fruit. I tend to agree with the comments suggesting that they were opening already unlocked doors and that the passenger side is more likely to have the stuff they are interested in. Hopefully technophobia does not cloud police judgement.

  27. Jeff Phinney says:

    Has anyone bothered reading this?

    http://eprint.iacr.org/2010/332.pdf

    • HowardC says:

      Yup, it’s most likely 3.3.

      People keep talking about nonsense like rolling codes and all that, but what they aren’t getting is there is next to no electronics in the keyfob itself, which means that if you know the fob protocol it’s fairly easy to try a bunch of random seeds until one works, or in the case of the pdf you linked to, get the car to flat out tell you the seed key.

      • Angus says:

        What do you mean? Rolling codes aren’t nonsense, they’re what a lot of keyless entry systems actually use. And the keyfob contains a microcontroller or other chip capable of generating and transmitting the codes.

        If that’s what you mean by “next to no electronics”, then you’re right, but I don’t see how your claim of insecurity follows from that.

      • fartface says:

        I can implement RSA encryption in “next to nothing” in a keyfob.

    • power.supply says:

      I agree with you. All the thieves are either wearing baggy clothes or a back pac, which makes it easy to hide a similar device.

  28. MarkG says:

    We unfortunately had a rash of thefts a few months ago in our neighborhood. 29 cars broken into within a 3 block radius including my 2… all Hondas. My two were definitely locked as was my neighbor’s. My neighbor had 2 cars– 1 Honda, one not. The Honda was the only one broken into. There could be something to this. I’ve been trying to figure it out since then, but haven’t found anything.

    • MarkG says:

      I forgot to mention that this was in 1 night and there were no windows broken, etc. Just opened as if they used some sort of device.

      • Colecago says:

        My Honda was broken into a few years back. I swear I had locked the doors, the person I was driving with said so as well, but my car was opened, no windows broken, no scratches from a slim jim. They stole my military issue Oakleys, my tinted safety glasses, all my cd’s (though most were burned), my gps, and a dartball dart from my last season.

  29. Matthew ZS says:

    I didn’t read thru every entry so I don’t know if this has been mentioned but on the new Toyota Priusus (Pri-i…… not sure the plural) the doors WILL relock automatically if you leave the car and the keyfob goes out of range.

  30. rwinscot says:

    Check out the last of these three methods to open a locked door – when the guy hits the lock with a taser.

    So…

    • valdas says:

      totally fake… trust me to open boot you have to have way stronger force just that pump… neighbors car was vandalized, tried to open with crowbar, sheet metal was bent all over but lock did it`s job… second with plunger, myth busters busted this myth… and electroshock ? neahh… fake

      • rwinscot says:

        I saw the MB episode with the tennis ball… my comment was about the taser. If the door lock is driven by a solenoid or motor that can be ‘excited’ via an EM field, an on-board computer that can be reset via an EM pulse, ‘fail safe’ door locks, nearby fuses that can be tripped, or some combination of these. That – is worth some thought.

        I own a 2012 Honda Odyssey and 2007 Honda Civic… the passenger door locks are purely mechanical – and according to the manual turn off the car alarm when opened.

        • fartface says:

          you do not own a 2007 civic. There are no locks on the passenger side. I have one, only lock hole is on the drivers side and it’s a switch with a chip reader.

          • rwinscot says:

            No door lock actuator on the passenger side?!? Honda has cheated me… I must get my money back!

            There is most certainly a door lock actuator on the passenger side – a keyhole? I didn’t say anything about a keyhole. Would you like to see pictures of my cars?

            Seriously… splitting hairs is such a time-suck.

  31. xorpunk says:

    A few notes from someone who has been following factory automotive security systems for a long time:

    1.3xxMhz=States 4xxMhz=Euro&Other

    2.Hitatchi, Megamos, Phillips, TI make all the passive key transponders and have the manufacturers algorithms in their data-centers, protected by compromised RSA systems. These algorithms are also in the possession of government associates like DARPA, Prince contracting firms(ex:Blackwater USA) and others, and foreign intelligence through phishing and espionage.

    3.The FPGA that stores the challenge/response algos(there are two in all cars) has almost always been in the BCM on the CAN, Fuel-management just does a simple check bit check. Mid-ninety and older cars that first implemented transponder-key had everything on one board and there was no CAN, same for the resistor based systems.

    4.Master ECMs exist for at least GM and can easily be hot-loaded.. Some CA and NYC repo firms somehow have these..

    5.All remotes can be cloned through cluster sequences, in most cases keys too, if you have two and a blank. Keys can all be cloned with only one key, providing you have the pricey machines, or know the algo and have a RFID tranciever(they are all standard RFID PHY)

    5. People still leave valet keys in their cars..

    6. High-end makes have satcom and tracking. Middle-eastern auto-theft rings operating inside the US can hack them. There are well documented FBI cases involving Mercedes..

    To anyone who thinks I just Googled that: Good luck finding it all on any search engine, but when you do it’s all on highly credible domains..

    • Whatnot says:

      On your google remark: countless are the times I failed to find technical info or PDF’s that I knew were out there, and I’m talking non-security stuff. I think google is pretty flawed unless you look for the very obvious mainstream stuff.

    • Willow says:

      ^- This. Yup. #4 – their $12K CANDII handheld will do the trick, there’s a fancier model as well. You can purchase them you just need to deal with automotive stuff and fill out some paperwork/legal stuff and pay a huge price for it. #5 Yup.

      The majority of ‘this type’ of exploit, this rash of them that is, are Hondas. There’s something to it likely.

    • fartface says:

      Not for GM. GM “chip keys” are just resistors until 1995 after that they are simple RFID. and GM keyfobs are simple as garage door openers and have been until the mid 2000’s. I know, I have hacked many a GM system and was surprised as to how half assed GM security is on the cars.

      • xorpunk says:

        Everything is simple with these once their challenge/response is cracked. Every manufacturer on the planet uses the two remote bands and standard RFID PHY for keys. Some use stupid key blade etching too.

        The reason you don’t see it is because cars are expensive, and the few systems that can be dumped are really hard to do and take a long time just to prep to do so..

        It’s still uncharted territory in the security industry. Outside John Hopkins work that only affects RF units used by older GM and gas pumps, these systems have never been hacked.. literally.

        P.S. if you can get a clone or key head you can still slide-hammer out locks and start with a screw driver on 2013 cars.

    • @xorpunk & @whatnot are not familiar with the true power of google

      http://www.johntedesco.net/blog/2012/06/21/how-to-solve-impossible-problems-daniel-russells-awesome-google-search-techniques/

      searchresearch1.blogspot.com

      http://www.powersearchingwithgoogle.com/

      Enjoy scraping your minds off the walls for the next week.

  32. eggstyrone says:

    They were never locked…remember that MacGuyver episode with “Fizziks Follies” and the door lock competition?

  33. George Fetters says:

    I wonder if they are fooling the system into thinking the key is locked in the car. Some systems automatically unlock if the door is locked with the key in the car. My wife’s car does that.

    • You might be onto something. Maybe it’s easier to do from the passenger side?

      Though I expect it to unlock the passenger door (at least not for every car)

    • Beau says:

      I was thinking the same thing. My car won’t auto lock if the keys are inside. Maybe holding the device on that side of the car, makes the car think the keys are inside. However, the passenger side thing could simply be because people leave things on that side of the car. I always put my wallet etc, on the passenger seat or the glovebox…

  34. Mark says:

    Not reading all the comments but most car alarms if you don’t have the key fob you unlock the passenger door it disarms the alarms. It did on my last 3 suburbans and my mothers Taurus. Unlock passenger door alarm deactivates. As for what device they are using, I’m a HAM op and I can get my auto locks to pop if I key up my UHF HT on High power (5 Watts) right next to the lock solenoid. If they are using a radio to pop the solenoid on the passenger door the alarm thinks that you just used the key and deactivates.

  35. Jake says:

    I have the exact device used by these people, Jeezus Some of you are over thinking this. I only use mine for testing, it is not expensive, in the $1000 range.

    Do you really think the guys shown in the video are paying $12,000 for a smart piece of hardware? Just to steal some loose change, or stereos or whatever it is they are stealing?

    Some of the things you guys have described would cost 40 grand easily. Only one person here as hit the nail on the head (isitjustme), with 2 others that I can see who have the right idea.

    I swear some of you must cost your employers/companies huge amounts of money with the over thinking you do. Probably start with the hardest to accomplish theories and work your way to the simple ones when researching or developing. Jeezus.

    • Willow says:

      You don’t have to buy the equipment to make use of the benefits, you merely need access to one or get someone to generate seeded keys for you, using the devices. You can also have the devices tell the BCM to allow blank keys to work, and the like. I simply mentioned that because all the cars were the same parent model, and many likely go to the same dealership(s). This type of exploit was used in Gone in 60 seconds, and has been used in crimes before. EMP’s are always a good choice as well.

  36. george says:

    looking at that video, it does just look like he simply tried the handle. I believe the device in his hand would just be a smartphone that he’s using as a misdirection, to make it look like he’s just nonchalantly strolling around looking at texts. however:

    I’ve though about an attack for rolling-code wireless security that involves replays (I’m not sure if it could work on other systems). the idea is that you place a device on the target vehicle which plays a predictable and known noise signal in the frequency band of the key fob to block its ability to lock the door. when a person uses the key fob, which plays the current number of the rolling code, the signal is jammed and recorded by your device. if they walk away at that point then the car is unlocked, but if they try the fob again, you jam and record the next code and replay the previous one, which will then lock the car. the attacker then comes to the car and the device replays the recorded code.

    of course the problem with this, aside from me not being sure how technically possible this is in the first place, is that you have to get the device near enough to their car before you try to do this. this means that you will either need to put it somewhere in a parking lot and just rely on blind luck, or actually stick it to the car and follow it around (or the device could include a GPS transponder for tracking the target).

    • Le Samourai says:

      How would you jam and capture a frequency (or band) at the same time? The very signal you were trying to record is the same you are trying to jam.

      • Adrian says:

        If you transmit a jamming signal while trying to capture a signal of interest, you will capture the jamming signal + the signal of interest. Since you know the jamming signal (you transmitted it) you can subtract it from the captured signal and obtain the transmitted signal.

        • Le Samourai says:

          Ah you’re right! Controlled jamming. Actually, you could probably do the subtraction all in the analog domain and still have a randomly generated noise jam signal.

    • Me says:

      Except that if they did this then they would know which car to hit as it’s the one they previously placed the device on or it’s the one in the spot where the device was left. Also, why the passenger side?

  37. Grayda says:

    If this were handled by Today Tonight in Australia:

    “Coming up next: How foreign terrorist criminals are stealing YOUR cars, and how you’re powerless to stop them. We also test the new super miracle fruit based cream that can take decades off your life!”

  38. Greenaum says:

    http://worldjammers.webs.com/

    These people seem to sell all sorts of interesting crap. Christ alone knows if any of it works. I’d imagine their refund policy is nonexistent. Buying a criminal tool off a bunch of Chinese pirates isn’t the height of reassurance.

    But the point is, there’s a car-locking jammer for sale! Any use in this case?

  39. rv49er says:

    I think it has to do with the following situation: A driver and a passenger are getting out of the car. The driver opens the door, gets out, closes the door, and presses the lock button. The passenger, slow getting out (old, checking makeup, getting something from back seat, etc), realizes the door is locked. The passenger manually unlocks the door, the courtesy light turns on, and the passenger exits.

    There is a setting on Honda (probably all) cars that only unlocks the driver door when the car is turned off. The passenger might be used to having to manually unlock the door.

    In this situation the car is armed with a passenger still inside. Should the alarm sound when the passenger exits? I would think no.

    Most people would not realize there is a difference between the lock button on the key and the lock in the car. Someone probably would be scared or panic if their car’s alarm went off. They probably wouldn’t even understand why it went off.

    If you usually drive by yourself, you have a good chance of getting out of the car and locking it subconsciously and not even think about locking the passenger in. You probably would just apologize while he/she unlocks the door and gets out.

    As for how it is unlocked, that is another question. Almost all of them are Honda/Acura. My Honda’s doors unlock in the direction of the handle. If the lock was made out of metal and you had a strong magnet on the outside, it would unlock. It could have to do with the solenoid.

    • cutandpaste says:

      Yes, the human aspect seems most likely.

      Different, but related:

      My GMC work truck locks its doors automatically when I put the transmission in drive. It unlocks automatically when I select park.

      Since I almost always drive the vehicle alone, this doesn’t bother me a bit: It’s not like I’ve ever try to get out of the car with the thing in-gear, going down the road…

      But when I stop to pick up or drop off a (rare) passenger, I find the following happens: The doors are locked. They try to get in/out, and can’t. I find myself fumbling for the lock button (which I never use while driving, or with the door closed for that matter) to disengage the locks.

      If I frequently had a passenger, this wouldn’t be an issue: I’d be used to this behavior. But again, I almost never do.

      I don’t see -anything- in TFV that suggests that the cars weren’t merely unlocked to begin with. I don’t need a tinfoil hat or an EMF generator to say that two cars of the same manufacturer caught unlocked in the same frame by two different thieves is more an eventuality than an odd and sophisticated technological coup.

      They grab the handle, and the dome light turns on as the door opens. Just as if it were unlocked. The singular instance of the unlocked, street-parked Honda caught by a dude’s household CCTV shows that a thief walked by, tried the door handle, noticed that it felt different than a locked door might, and then made a second move to open the door the rest of the way.

      He had probably tried hundreds of doors in the past; maybe even hundreds in just that one night. Of course he can feel when it is unlocked.

      I see opportunism, not cleverness.

  40. nah! says:

    my car leaves the right doof open even if when i remote lock it, thats due to the servo is too weak or something, so it most of the time only locks on second try.

    probably thats more common than i thought

  41. natsfr says:

    Keeloq was in theory unbreakable too :D
    Maybe they got in their hand the master key of some car manufacturer crypto system.
    Just an idea but proven work with old keeloq why not with newest obscure technologies.

  42. eatith mee says:

    You guys railing on about EMP or EMI or whatever are crazy, you need a lot of energy to penetrate the steel of a car door with a EM field and actually cause a solenoid, which takes amps of current, to actuate… These guys are simply doing the ol’ pull and pray on the door handle. I work with high voltage and high power RF every single day with equipment that is no where near as sheilded from EMI as a car and never have a relay or anything else for that matter simply acutate from a stray field and there is no sort of encryption or CAN bus driving that stuff. The actual fet or transistor that is driving the relay which in turn powers the door actuator is buried in either the body or engine control module, you would need to induce, through steel, a current on a wire that is 12V at probably an amp if not a few amps to overcome the mechanical friction of the door locking parts all just using an EM field… And if they are causing enough electrostatic hash to f*ck with the cars electronics, the car would likely never start again let alone not set the alarm off. Your cell phone would be screwing with your car and unlocking the doors if it were that easy. Modren cars are some of the best shielded devices out there when it comes to ESD and all the other nasty situations cars have to deal with and still work in the real world. A high voltage, high frequency generator such as a stun gun, etc, could maybe cause a little havoc, but you’d likely be setting off more car alarms than getting a door to actually unlock. They either have a remote code exploit that works on certain cars or they are simply trying door handles.

    • eatith mee says:

      And dont get me wrong, if you are transmitting an EM field with the right remote control data at the right frequency you could do this, hence a remote control exploit. But brute force EMP or EMI? Uh, we get pretty bad thunder and electrical storms where I live, and I never had my car unlock itself when Thor came calling, although I have lost a T.V. or a telephone or two…

      • anonymous says:

        Unless your car is hit with a bolt of lightening, it won’t make a bit of impact from afar. EMP devices concentrate that magnetic field and throw it out in a direction. The falloff is immense, so being as close to whatever you are trying to induce current into is a must. My theory is that they are hitting the passenger side doors because the coil for the unlock side of the solenoid is exposed to the door panel (less distance for the field to travel through.) The driver side is probably the lock side of the coil. They have to wait a brief period of time because the slider is probably moving to the unlock position (it isn’t directly coupled to a battery after all.) So holding the door handle is just so they can wait to feel for it to be in the unlock position. This hack only seems to work on certain cars because some cars don’t use solenoids, but servo motors. Servo motors need lots of current to actuate, solenoids not so much.

  43. Beau says:

    After watching the video, I think there are a few things to note. First is they always try passenger side, could just be cause of easy access to glove box etc. Second, they hold the handle for a second before it opens. If they were opening remotely, why would they do this?? Third, might not be much but interesting to note, the thieves that walked from back of car to front gained access, but front to back didn’t.

  44. jgmrequel says:

    While EMP and high voltage could work (and are quite cool), they’d leave some evidence of their use behind; arc points, cheaper caps burning out, etc.

    My two cents based on presented evidence: most if not all of the drivers here just forgot to lock their cars or didn’t verify that the cars were locked, and the police are reading too much into the pause. That pause before opening the door might just be them going slow to not create noise in opening the door.

    With the start of summer, people are more swift in going from car to buildings, minimizing the time spent in the heat. This means its more likely that they are walking away while locking their cars. Combine this with strict “hands free driving” laws, first thing people are likely to do getting out of the car is to see what texts/messages they missed, distracting themselves from the autonomous behavior of locking their car. At my campus in grad school a couple years back, there was one test campus police did where they showed way too many cars in a single garage were just left unlocked. They would test every car, leaving notes behind and maintaining an increased presence on the floors they tested (since they were marking unlocked cars).

    All that being said, information not presented which would change my working theory (since this was not a direct police request for help but a sensationalized news story):

    * How many of each make and model car was successfully broken into/unsuccessfully accessed? (one or two of each a meaningful sample does not make)

    * Is there any confirmed sighting of this ‘device’? From what I saw, I couldn’t make out anything looking like it. The one with the gentleman walking by a car and surprised it opened quickly transferred his drink into the ‘device hand’, suggesting it was likely free.

    * Which neighborhoods/garages are this happening in? Based on the appearance of the neighborhood where the guy had a camera on his car, it looked like a nicer one where people would have more sense of comfort. The garage could be one supplying mainly a single corporate building, where many arrive at the same start time, and hence even if you listen for locks clicking or the confirmation horn, you might end up hearing someone else’s if its not a primary process of focus.

    * Is there evidence other than the driver’s assurances that the cars were locked? Presumably, with video surveillance available, the police went back in time to see if the car was in fact locked by the driver, but one cannot assume without evidence.

    From the evidence presented thus far, it’s hard to conclude anything other than driver error. But again, there could be evidence that wasn’t presented which would change this stance. Plus, the police may be pressured to do a fuller investigation as based on the cars and drivers, the noisiest victims appear to be middle to upper middle class, which sadly carries more weight than it should.

    That being said, my best theory of a device if one existed: simple brute-force broadcaster. A device which rapidly broadcasts known codes along with random codes of the correct length. Simple strolling would allow a shotgun approach to see what sticks. This would explain the pause by the cars of the gentleman with accomplice – taking the time required to quickly broadcast a known dictionary, and the surprise of the other gentleman, a random key struck after he passed. This would also explain make/model preference – different devices on different frequencies and different levels of security. With today’s miniaturization of higher performance computers in the forms of tablets and phones, there seems to be enough power out there to make a good go at it. This would leave no evidence behind,

    (sorry for enormity of this comment – my ocd towards puzzles doesn’t easily permit me to walk away without a proper go at it.)

    -James

    • Tron9000 says:

      “That being said, my best theory of a device if one existed: simple brute-force broadcaster. A device which rapidly broadcasts known codes along with random codes of the correct length. Simple strolling would allow a shotgun approach to see what sticks.” – James

      I’d say this was the most plausible. unlock codes would/could be/are issued to manufacturer garages.

      someone loose their keys, ring up a manufacturer certified garage: “help I locked out of my car” – service guy grabs code for that registration number. Programs a spare key and meets customer, along with a hefty bill no doubt!

      All it takes is a savvy mechanic and bribe/threat in the right direction to get these code and nab a spare key to hack apart – “sorry boss I lost it on my last job!” (saying that it could be an employee with nothing to loose here/ getting fired anyway as possibly loosing one of these keys may be a sack-able offence!). A Relative works at a Ford certified/trained garage, stuff (even important stuff!) goes missing ALL the time and nobody gives a shit!

      Hack the key apart, scribble up some code, download the unlock codes and the program to a cheap micro-controller dev platform of their choice, sprag the controller output to the the transmitter output.

      bingo, I’m sure with a button press it could rattle through all those unlock codes and “clunk”: x1 stolen motor!

      • Tron9000 says:

        Also note: 3x Accura (honda here in the UK) motors stolen…..

      • cutandpaste says:

        Locked out of car? Usually that means the keys are inside. There’s lots of methods (the simplest of which is an inflatable wedge and a stiff rod that can hit the unlock button) to open a locked car door.

        Yes, a skilled and well-equipped locksmith, or a dealer, can sometimes make a new key for a modern car on the spot, but that’s unnecessary. These theives weren’t stealing cars. They were stealing stuff from within cars. AFAICT, no attempt to drive the car was ever performed.

        So. Take apart a key and reprogram? Meh. You’re overthinking the situation. The car door’s lock simply has mechanical pins and tumblers, just like most any other lock. If it were any more complicated than that, a dead battery would mean either a broken window or a recycling center…and somehow I think if dead batteries were killing cars absolutely, that this would be bigger news than a thief discovering someone leaving the vehicle unlocked.

        Which is all that appears to be the case here: Thief approaches unlocked car, pulls handle gently, car door opens. I don’t see any indication of some magic device being used, except for the sensationalist Today show and a clueless cop insisting that it must be some new sorcery.

    • dALE says:

      dud, do the fucking research yourself you lazy ass

  45. jamie says:

    this is been happening for the last year in south africa . the guys use a electric gate remote and hold the button in to put it into program mode . at that stage it blocks all the 433mhz frequencies and prevents the care from locking .

  46. maybe they pick up and amplify the signal from the original key making the car think they owner is colose

    • I kinda doubt that. Most car remotes work on a rolling set of ID’s. Now if someone figured out the algorithm that generates that code they could record the arming code. Since most people have to hit a their remotes at least twice (once to lock and once to arm and possibly a third time because it it didn’t register a click) they now have a series to build off of.

      Even if they can’t reverse engine the sequence that could just let the algorithm run on a PC and save the results to a database. Have a Raspberry Pi nearby and do a database look-up when its reads a sequence. Have the RPi program an Ardunio with the next possible 10 id’s in the most likely sequence and then walk over and blast the car with the sequence.

      The reason for the passenger side attacks is most likely so they can see an indicator light or dashboard sequence on a Uvo/Sync ID code. Something triggers it to appear that they use the info for the hack. More exotic hacks could be code injection through Bluetooth or tire pressure sensors.

  47. Darko Resnik says:

    He may be doing something as simple as holding a key remote so as not to look suspicious when going up to a car, trying the door handle to see if the owner forgot to lock the car. Never actually using the key remote to open any doors.

    • Khordas says:

      This is my thinking too. Holding out the key fob at least makes it look to casual observers like he’s the owner coming back for something. Much less probable that a casual observer is also the owner of the car to know he doesn’t belong. I think this is much less hi-tech than everyone is thinking, and he’s just trying doors at random; not everyone remembers to lock their doors.

  48. Pin says:

    I also think the cars are unlocked when you use a key fob the lights usually blink on the front are back of the car and the device the say you can barely see just looks like a door Handel mad someone just freezes the frame to make it look like they were just standing there the inside light did not turn on until the touch the Handel that is another indicator to me that a keyless method was not used no indication the are being unlocked my main vehicle I drive is a gmc truck and and have no experience with all the makes and models I they might ack differently

  49. RUSKEY101 says:

    probably blue tac overloading the sensor. you can make diffrent patterns on blue tac by putting it on fabric or other matericals. The sensor in cobination with ease of access programming for the true driver probably make the asumption that a dotted matrix couldnt be anything but the driver or a default setting.

  50. M4RM4L4D3 says:

    I have not read all of the comments, but this was my take: on one of the videos CBS showed, you can clearly see the “perp” (sorry, too many TV police dramas…) turn back after walking by the door, did he perhaps hear the door unlock? My take because of this, and I do not have a knowledge of how keyless entry works, is a RFID proximity type of keyless entry with some type of a random (key frequency) generator, perhaps using a small subset of known or a backdoor code or overload with a higher frequency. Had all of the “perps” touched the car like in another of the videos, I would have gone with a type of electric pulse.

    • cutandpaste says:

      He was surprised because it was unlocked. He pulled the handle, the dome light came on as if the door were about to be opened, and kept walking nonchalantly (because, seriously: if you’re walking down the sidewalk trying door handles, do you really stop and study each one?).

      It felt different. He came back and gave it another tug. It opened.

      ‘Nuff said. The car was simply unlocked.

      News at 11: $big_city layman leaves car unlocked, has things stolen from inside; blames sorcery.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s